1. Field of the Invention
The present invention relates to an improved data processing system and, in particular, to a method and apparatus for computer security.
2. Description of Related Art
The connectivity of the Internet provides malicious users with the ability to probe data processing systems and to launch attacks against computer networks around the world. While computer security tools provide defensive mechanisms for limiting the ability of malicious users to cause harm to a computer system, computer administrators are legally limited in their ability to employ offensive mechanisms. Although an intrusion detection system can alert an administrator to suspicious activity so that the administrator can take actions to track the suspicious activity and to modify systems and networks to prevent security breaches, these systems can typically only gather information about possible security incidents.
Honeypots have been developed as a tool to help computer security analysts and administrators in coping to a small degree with malicious computer activity. A honeypot has been defined as a resource that has value in being probed, attacked, or compromised. A resource may be an application, an object, a document, a page, a file, other data, executable code, other computational resource, or some other type of communication-type resource. For example, a honeypot may comprise a network of servers; a honeypot server is sometimes called a decoy server.
A typical honeypot is a computer server that has limited or no production value; in other words, a typical honeypot performs no significant work within an enterprise other than monitoring for activity. Since the honeypot has no significant production value, its significant value lies in the fact that it acts as a decoy to lure malicious users or hackers to probing or attacking it. In the meantime, it is hoped that a malicious user would ignore production systems that have true value within an enterprise. In addition, the honeypot collects information about probes or attacks. From this perspective, a honeypot provides a tool with a small offensive capability. Ideally, the honeypot maintains a malicious user's interest so that significant information can be gathered about the methods of operation of the malicious user and whether any computer security flaws are discovered that require immediate administrative attention.
Preventive measures are usually taken so that a malicious user does not discover the true nature of the honeypot; otherwise, the malicious user would ignore the honeypot and begin probing other systems. For example, steps are usually taken to hide any administrative information within a computer network about the existence of a honeypot so that a malicious user does not capture and read about the configuration of a honeypot, e.g., activity logs or special file names. Hence, it is common practice to configure honeypots as relatively simple systems with little activity so that sophisticated, malicious users do not detect any activity that might lead this type of user to suspect that a system that is being probed is a honeypot. For this reason, honeypots are typically taken offline to be administratively analyzed and manually reconfigured. While providing some utility, a typical honeypot remains a passive tool with limited utility.
Therefore, it would be advantageous to employ a honeypot in a more offensive role for assisting a system administrator in detecting malicious activity. It would be particularly advantageous to correlate the use of a honeypot with the use of computer security incident recognition systems and applications.